Example 56 with PrincipalIterator
use of org.apache.jackrabbit.api.security.principal.PrincipalIterator in project jackrabbit-oak by apache.
the class PrincipalManagerTest method testGetGroupPrincipals.
@Test
public void testGetGroupPrincipals() {
PrincipalIterator it = principalMgr.getPrincipals(PrincipalManager.SEARCH_TYPE_GROUP);
while (it.hasNext()) {
Principal p = it.nextPrincipal();
assertTrue(isGroup(p));
}
}
Also used :
PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator)
Principal(java.security.Principal)
EveryonePrincipal(org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)
Test(org.junit.Test)
AbstractJCRTest(org.apache.jackrabbit.test.AbstractJCRTest)
Example 57 with PrincipalIterator
use of org.apache.jackrabbit.api.security.principal.PrincipalIterator in project jackrabbit-oak by apache.
the class UserImportBestEffortTest method testImportNonExistingImpersonationBestEffort.
@Test
public void testImportNonExistingImpersonationBestEffort() throws Exception {
// an non-existing princ-name
String principalName = "anybody";
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:User</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + " <sv:property sv:name=\"rep:password\" sv:type=\"String\"><sv:value>{sha1}8efd86fb78a56a5145ed7739dcb00c78581c5375</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>t</sv:value></sv:property>" + " <sv:property sv:name=\"rep:impersonators\" sv:type=\"String\"><sv:value>" + principalName + "</sv:value></sv:property>" + "</sv:node>";
doImport(getTargetPath(), xml);
Authorizable a = getUserManager().getAuthorizable("t");
assertFalse(a.isGroup());
boolean found = false;
PrincipalIterator it = ((User) a).getImpersonation().getImpersonators();
while (it.hasNext()) {
Principal p = it.nextPrincipal();
if (principalName.equals(p.getName())) {
found = true;
break;
}
}
assertTrue(found);
}
Also used :
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator)
Principal(java.security.Principal)
Test(org.junit.Test)
Example 58 with PrincipalIterator
use of org.apache.jackrabbit.api.security.principal.PrincipalIterator in project jackrabbit-oak by apache.
the class SystemUserImportTest method testExistingPrincipal.
@Test
public void testExistingPrincipal() throws Exception {
Principal existing = null;
Session s = getImportSession();
PrincipalIterator principalIterator = ((JackrabbitSession) s).getPrincipalManager().getPrincipals(PrincipalManager.SEARCH_TYPE_ALL);
while (principalIterator.hasNext()) {
Principal p = principalIterator.nextPrincipal();
if (getUserManager().getAuthorizable(p) != null) {
existing = p;
break;
}
}
if (existing == null) {
throw new NotExecutableException();
}
String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<sv:node sv:name=\"t\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">" + " <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:SystemUser</sv:value></sv:property>" + " <sv:property sv:name=\"jcr:uuid\" sv:type=\"String\"><sv:value>e358efa4-89f5-3062-b10d-d7316b65649e</sv:value></sv:property>" + " <sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>" + existing.getName() + "</sv:value></sv:property>" + "</sv:node>";
try {
doImport(getTargetPath(), xml);
s.save();
fail("Import must detect conflicting principals.");
} catch (RepositoryException e) {
// success
}
}
Also used :
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator)
RepositoryException(javax.jcr.RepositoryException)
Principal(java.security.Principal)
Session(javax.jcr.Session)
JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession)
Test(org.junit.Test)
Example 59 with PrincipalIterator
use of org.apache.jackrabbit.api.security.principal.PrincipalIterator in project jackrabbit-oak by apache.
the class NestedGroupTest method testInheritedMembership.
@Test
public void testInheritedMembership() throws NotExecutableException, RepositoryException {
Group gr1 = null;
Group gr2 = null;
Group gr3 = null;
if (!(superuser instanceof JackrabbitSession)) {
throw new NotExecutableException();
}
try {
gr1 = createGroup(getTestPrincipal());
gr2 = createGroup(getTestPrincipal());
gr3 = createGroup(getTestPrincipal());
assertTrue(addMember(gr1, gr2));
assertTrue(addMember(gr2, gr3));
// NOTE: don't test with Group.isMember for not required to detect
// inherited membership -> rather with PrincipalManager.
boolean isMember = false;
PrincipalManager pmgr = ((JackrabbitSession) superuser).getPrincipalManager();
for (PrincipalIterator it = pmgr.getGroupMembership(gr3.getPrincipal()); it.hasNext() && !isMember; ) {
isMember = it.nextPrincipal().equals(gr1.getPrincipal());
}
assertTrue(isMember);
} finally {
if (gr1 != null && gr1.isMember(gr2)) {
removeMember(gr1, gr2);
}
if (gr2 != null && gr2.isMember(gr3)) {
removeMember(gr2, gr3);
}
if (gr1 != null)
removeGroup(gr1);
if (gr2 != null)
removeGroup(gr2);
if (gr3 != null)
removeGroup(gr3);
}
}
Also used :
PrincipalManager(org.apache.jackrabbit.api.security.principal.PrincipalManager)
Group(org.apache.jackrabbit.api.security.user.Group)
NotExecutableException(org.apache.jackrabbit.test.NotExecutableException)
PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator)
JackrabbitSession(org.apache.jackrabbit.api.JackrabbitSession)
Test(org.junit.Test)
Example 60 with PrincipalIterator
use of org.apache.jackrabbit.api.security.principal.PrincipalIterator in project jackrabbit by apache.
the class UserImporter method processReferences.
/**
* @see org.apache.jackrabbit.core.xml.ProtectedPropertyImporter#processReferences()
*/
public void processReferences() throws RepositoryException {
if (!initialized) {
throw new IllegalStateException("Not initialized");
}
// assert that user manager is isn't in auto-save mode
if (userManager.isAutoSave()) {
userManager.autoSave(false);
}
try {
List<Object> processed = new ArrayList<Object>();
for (Iterator<Object> it = referenceTracker.getProcessedReferences(); it.hasNext(); ) {
Object reference = it.next();
if (reference instanceof Membership) {
Authorizable a = userManager.getAuthorizable(((Membership) reference).groupId);
if (a == null || !a.isGroup()) {
throw new RepositoryException(((Membership) reference).groupId + " does not represent a valid group.");
}
final Group gr = (Group) a;
// 1. collect members to add and to remove.
Map<String, Authorizable> toRemove = new HashMap<String, Authorizable>();
for (Iterator<Authorizable> declMembers = gr.getDeclaredMembers(); declMembers.hasNext(); ) {
Authorizable dm = declMembers.next();
toRemove.put(dm.getID(), dm);
}
List<Authorizable> toAdd = new ArrayList<Authorizable>();
final List<Membership.Member> nonExisting = new ArrayList<Membership.Member>();
for (Membership.Member member : ((Membership) reference).members) {
NodeId remapped = referenceTracker.getMappedId(member.id);
NodeId id = (remapped == null) ? member.id : remapped;
Authorizable authorz = null;
try {
NodeImpl n = ((SessionImpl) session).getNodeById(id);
authorz = userManager.getAuthorizable(n);
} catch (RepositoryException e) {
// no such node or failed to retrieve authorizable
// warning is logged below.
}
if (authorz != null) {
if (toRemove.remove(authorz.getID()) == null) {
toAdd.add(authorz);
}
// else: no need to remove from rep:members
} else {
handleFailure("New member of " + gr + ": No such authorizable (NodeID = " + id + ")");
if (importBehavior == ImportBehavior.BESTEFFORT) {
log.info("ImportBehavior.BESTEFFORT: Remember non-existing member for processing.");
nonExisting.add(member);
}
}
}
// 2. adjust members of the group
for (Authorizable m : toRemove.values()) {
if (!gr.removeMember(m)) {
handleFailure("Failed remove existing member (" + m + ") from " + gr);
}
}
for (Authorizable m : toAdd) {
if (!gr.addMember(m)) {
handleFailure("Failed add member (" + m + ") to " + gr);
}
}
// handling non-existing members in case of best-effort
if (!nonExisting.isEmpty()) {
log.info("ImportBehavior.BESTEFFORT: Found " + nonExisting.size() + " entries of rep:members pointing to non-existing authorizables. Adding to rep:members.");
final NodeImpl groupNode = ((AuthorizableImpl) gr).getNode();
if (userManager.hasMemberSplitSize()) {
userManager.performProtectedOperation((SessionImpl) session, new SessionWriteOperation<Object>() {
public Boolean perform(SessionContext context) throws RepositoryException {
NodeImpl nMembers = (groupNode.hasNode(UserConstants.N_MEMBERS) ? groupNode.getNode(UserConstants.N_MEMBERS) : groupNode.addNode(UserConstants.N_MEMBERS, UserConstants.NT_REP_MEMBERS, null));
// Create N_MEMBERS node structure for holding member references
for (Membership.Member member : nonExisting) {
PropertySequence properties = GroupImpl.getPropertySequence(nMembers, userManager);
String propName = member.name;
if (propName == null) {
log.debug("Ignoring unnamed user with id {}", member.id);
continue;
}
if (properties.hasItem(propName)) {
log.debug("Overwriting authorizable {} which is already member of {}.", propName, gr);
properties.removeProperty(propName);
}
Value newMember = session.getValueFactory().createValue(member.id.toString(), PropertyType.WEAKREFERENCE);
properties.addProperty(propName, newMember);
}
return null;
}
});
} else {
// Create P_MEMBERS for holding member references
// build list of valid members set before ....
List<Value> memberValues = new ArrayList<Value>();
if (groupNode.hasProperty(UserConstants.P_MEMBERS)) {
Value[] vls = groupNode.getProperty(UserConstants.P_MEMBERS).getValues();
memberValues.addAll(Arrays.asList(vls));
}
// ... and the non-Existing ones.
for (Membership.Member member : nonExisting) {
memberValues.add(session.getValueFactory().createValue(member.id.toString(), PropertyType.WEAKREFERENCE));
}
// and use implementation specific method to set the
// value of rep:members properties which was not possible
// through the API
userManager.setProtectedProperty(groupNode, UserConstants.P_MEMBERS, memberValues.toArray(new Value[memberValues.size()]), PropertyType.WEAKREFERENCE);
}
}
processed.add(reference);
} else if (reference instanceof Impersonators) {
Authorizable a = userManager.getAuthorizable(((Impersonators) reference).userId);
if (a == null || a.isGroup()) {
throw new RepositoryException(((Impersonators) reference).userId + " does not represent a valid user.");
}
Impersonation imp = ((User) a).getImpersonation();
// 1. collect principals to add and to remove.
Map<String, Principal> toRemove = new HashMap<String, Principal>();
for (PrincipalIterator pit = imp.getImpersonators(); pit.hasNext(); ) {
Principal princ = pit.nextPrincipal();
toRemove.put(princ.getName(), princ);
}
List<Principal> toAdd = new ArrayList<Principal>();
Value[] vs = ((Impersonators) reference).values;
for (Value v : vs) {
String princName = v.getString();
if (toRemove.remove(princName) == null) {
// add it to the list of new impersonators to be added.
toAdd.add(new PrincipalImpl(princName));
}
// else: no need to revoke impersonation for the given principal.
}
// 2. adjust set of impersonators
for (Principal princ : toRemove.values()) {
if (!imp.revokeImpersonation(princ)) {
handleFailure("Failed to revoke impersonation for " + princ.getName() + " on " + a);
}
}
for (Principal princ : toAdd) {
if (!imp.grantImpersonation(princ)) {
handleFailure("Failed to grant impersonation for " + princ.getName() + " on " + a);
}
}
// NOTE: no best effort handling so far. (TODO)
processed.add(reference);
}
}
// successfully processed this entry of the reference tracker
// -> remove from the reference tracker.
referenceTracker.removeReferences(processed);
} finally {
// the original state.
if (resetAutoSave) {
userManager.autoSave(true);
}
}
}
Also used :
Group(org.apache.jackrabbit.api.security.user.Group)
Impersonation(org.apache.jackrabbit.api.security.user.Impersonation)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
ArrayList(java.util.ArrayList)
LinkedList(java.util.LinkedList)
List(java.util.List)
PrincipalImpl(org.apache.jackrabbit.core.security.principal.PrincipalImpl)
NodeImpl(org.apache.jackrabbit.core.NodeImpl)
PrincipalIterator(org.apache.jackrabbit.api.security.principal.PrincipalIterator)
RepositoryException(javax.jcr.RepositoryException)
PropertySequence(org.apache.jackrabbit.commons.flat.PropertySequence)
NodeId(org.apache.jackrabbit.core.id.NodeId)
Value(javax.jcr.Value)
SessionContext(org.apache.jackrabbit.core.session.SessionContext)
SessionImpl(org.apache.jackrabbit.core.SessionImpl)
HashMap(java.util.HashMap)
Map(java.util.Map)
Principal(java.security.Principal)
Aggregations
PrincipalIterator (org.apache.jackrabbit.api.security.principal.PrincipalIterator)61
Principal (java.security.Principal)40
Test (org.junit.Test)35
EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)15
AbstractJCRTest (org.apache.jackrabbit.test.AbstractJCRTest)11
JackrabbitSession (org.apache.jackrabbit.api.JackrabbitSession)9
PrincipalManager (org.apache.jackrabbit.api.security.principal.PrincipalManager)9
NotExecutableException (org.apache.jackrabbit.test.NotExecutableException)9
ArrayList (java.util.ArrayList)8
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)7
Group (java.security.acl.Group)5
RepositoryException (javax.jcr.RepositoryException)4
Group (org.apache.jackrabbit.api.security.user.Group)4
TestPrincipal (org.apache.jackrabbit.core.security.TestPrincipal)4
EveryonePrincipal (org.apache.jackrabbit.core.security.principal.EveryonePrincipal)4
HashSet (java.util.HashSet)3
Impersonation (org.apache.jackrabbit.api.security.user.Impersonation)3
User (org.apache.jackrabbit.api.security.user.User)3
Session (javax.jcr.Session)2
Subject (javax.security.auth.Subject)2
